RE: CC request for interpretation: testing while in normal mode?

["Daniel P. Faigin" <faigin@solarium.aero.org>]

On Mon, 11 Feb 2002 07:11:30 -0800, "McEvilley, Michael"
<mam@decisive-analytics.com> said: 

> 1.  The correct placement of AMT, TST and the issue of INT is
> problematic if the current CC definition of TSF is accurate.  That is,
> that the TSF is strictly those functions that enforce the TSP.  I find
> the CC definition of TSF to be too narrow.

But that's not the CC definition. Look in Part 1. The definition is not just
the functions that enforce; it is everything in the TOE "that must be relied
upon for the correct enforcement". It is the "relied upon" words that create
the problem. One could argue that one has to rely upon the AMT tests or system
initialization for correct enforcement of the policy, even though those
components don't directly enforce policy. Similiarly, once could argue that
one "relies upon" assurance aspects for correct enforcement. In some ways, the
"relies upon" words are as muddled as "on behalf of" used to be in the TCSEC
era.

> 2.  Perhaps we should also be discussing the meaning of TSP.  The CC
> states ... "TOE Security Policy (TSP) - A set of rules that regulate how
> assets are managed, protected and distributed within a TOE."  What is
> the context of "protected".  Does protection include both that which
> provides protection and that which ensures protection???  I believe the
> CC definition of TSP, and therefore TSF - is too vague.

I agree here. It also begs the question: Is Audit a TSP? Is I&A a TSP? How do
we distinguish SFPs from TSPs?

Daniel